apiVersion: v1
kind: Pod
metadata:
  name: kube-proxy
  namespace: {{system_namespace}}
  labels:
    k8s-app: kube-proxy
spec:
  hostNetwork: true
{% if kube_version | version_compare('v1.6', '>=') %}
  dnsPolicy: ClusterFirst
{% endif %}
  containers:
  - name: kube-proxy
    image: {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }}
    imagePullPolicy: {{ k8s_image_pull_policy }}
    resources:
      limits:
        cpu: {{ kube_proxy_cpu_limit }}
        memory: {{ kube_proxy_memory_limit }}
      requests:
        cpu: {{ kube_proxy_cpu_requests }}
        memory: {{ kube_proxy_memory_requests }}
    command:
    - /hyperkube
    - proxy
    - --v={{ kube_log_level }}
    - --master={{ kube_apiserver_endpoint }}
{% if not is_kube_master %}
    - --kubeconfig={{kube_config_dir}}/node-kubeconfig.yaml
{% endif %}
    - --bind-address={{ ip | default(ansible_default_ipv4.address) }}
    - --cluster-cidr={{ kube_pods_subnet }}
    - --proxy-mode={{ kube_proxy_mode }}
{% if kube_proxy_masquerade_all and kube_proxy_mode == "iptables" %}
    - --masquerade-all
{% endif %}
    securityContext:
      privileged: true
    volumeMounts:
    - mountPath: /etc/ssl/certs
      name: ssl-certs-host
      readOnly: true
    - mountPath: {{kube_config_dir}}/node-kubeconfig.yaml
      name: "kubeconfig"
      readOnly: true
    - mountPath: {{kube_config_dir}}/ssl
      name: "etc-kube-ssl"
      readOnly: true
    - mountPath: /var/run/dbus
      name: "var-run-dbus"
      readOnly: false
  volumes:
  - name: ssl-certs-host
    hostPath:
{% if ansible_os_family == 'RedHat' %}
      path: /etc/pki/tls
{% else %}
      path: /usr/share/ca-certificates
{% endif %}
  - name: "kubeconfig"
    hostPath:
      path: "{{kube_config_dir}}/node-kubeconfig.yaml"
  - name: "etc-kube-ssl"
    hostPath:
      path: "{{kube_config_dir}}/ssl"
  - name: "var-run-dbus"
    hostPath:
      path: "/var/run/dbus"
